google.golang.org/grpc@v1.72.2/test/xds/xds_client_certificate_providers_test.go (about) 1 /* 2 * 3 * Copyright 2023 gRPC authors. 4 * 5 * Licensed under the Apache License, Version 2.0 (the "License"); 6 * you may not use this file except in compliance with the License. 7 * You may obtain a copy of the License at 8 * 9 * http://www.apache.org/licenses/LICENSE-2.0 10 * 11 * Unless required by applicable law or agreed to in writing, software 12 * distributed under the License is distributed on an "AS IS" BASIS, 13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 * See the License for the specific language governing permissions and 15 * limitations under the License. 16 * 17 */ 18 19 package xds_test 20 21 import ( 22 "context" 23 "crypto/tls" 24 "fmt" 25 "strings" 26 "testing" 27 28 "github.com/google/uuid" 29 "google.golang.org/grpc" 30 "google.golang.org/grpc/codes" 31 "google.golang.org/grpc/connectivity" 32 "google.golang.org/grpc/credentials/insecure" 33 xdscreds "google.golang.org/grpc/credentials/xds" 34 "google.golang.org/grpc/internal" 35 "google.golang.org/grpc/internal/stubserver" 36 "google.golang.org/grpc/internal/testutils" 37 "google.golang.org/grpc/internal/testutils/xds/e2e" 38 "google.golang.org/grpc/internal/testutils/xds/e2e/setup" 39 "google.golang.org/grpc/internal/xds/bootstrap" 40 "google.golang.org/grpc/peer" 41 "google.golang.org/grpc/resolver" 42 "google.golang.org/grpc/status" 43 44 v3clusterpb "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3" 45 v3corepb "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" 46 v3endpointpb "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3" 47 v3listenerpb "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3" 48 v3routepb "github.com/envoyproxy/go-control-plane/envoy/config/route/v3" 49 v3tlspb "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3" 50 testgrpc "google.golang.org/grpc/interop/grpc_testing" 51 testpb "google.golang.org/grpc/interop/grpc_testing" 52 ) 53 54 // Tests the case where the bootstrap configuration contains no certificate 55 // providers, and xDS credentials with an insecure fallback is specified at dial 56 // time. The management server is configured to return client side xDS resources 57 // with no security configuration. The test verifies that the gRPC client is 58 // able to make RPCs to the backend which is configured to accept plaintext 59 // connections. This ensures that the insecure fallback credentials are getting 60 // used on the client. 61 func (s) TestClientSideXDS_WithNoCertificateProvidersInBootstrap_Success(t *testing.T) { 62 // Spin up an xDS management server. 63 mgmtServer, nodeID, _, resolverBuilder := setup.ManagementServerAndResolver(t) 64 65 // Spin up a test backend. 66 server := stubserver.StartTestService(t, nil) 67 defer server.Stop() 68 69 // Configure client side xDS resources on the management server, with no 70 // security configuration in the Cluster resource. 71 const serviceName = "my-service-client-side-xds" 72 resources := e2e.DefaultClientResources(e2e.ResourceParams{ 73 DialTarget: serviceName, 74 NodeID: nodeID, 75 Host: "localhost", 76 Port: testutils.ParsePort(t, server.Address), 77 SecLevel: e2e.SecurityLevelNone, 78 }) 79 ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) 80 defer cancel() 81 if err := mgmtServer.Update(ctx, resources); err != nil { 82 t.Fatal(err) 83 } 84 85 // Create client-side xDS credentials with an insecure fallback. 86 creds, err := xdscreds.NewClientCredentials(xdscreds.ClientOptions{FallbackCreds: insecure.NewCredentials()}) 87 if err != nil { 88 t.Fatal(err) 89 } 90 91 // Create a ClientConn and make a successful RPC. 92 cc, err := grpc.NewClient(fmt.Sprintf("xds:///%s", serviceName), grpc.WithTransportCredentials(creds), grpc.WithResolvers(resolverBuilder)) 93 if err != nil { 94 t.Fatalf("failed to dial local test server: %v", err) 95 } 96 defer cc.Close() 97 98 client := testgrpc.NewTestServiceClient(cc) 99 if _, err := client.EmptyCall(ctx, &testpb.Empty{}, grpc.WaitForReady(true)); err != nil { 100 t.Fatalf("EmptyCall() failed: %v", err) 101 } 102 } 103 104 // Tests the case where the bootstrap configuration contains no certificate 105 // providers, and xDS credentials with an insecure fallback is specified at dial 106 // time. The management server is configured to return client side xDS resources 107 // with an mTLS security configuration. The test verifies that the gRPC client 108 // moves to TRANSIENT_FAILURE and rpcs fail with the expected error code and 109 // string. This ensures that when the certificate provider instance name 110 // specified in the security configuration is not present in the bootstrap, 111 // channel creation does not fail, but it moves to TRANSIENT_FAILURE and 112 // subsequent rpcs fail. 113 func (s) TestClientSideXDS_WithNoCertificateProvidersInBootstrap_Failure(t *testing.T) { 114 // Start an xDS management server. 115 mgmtServer := e2e.StartManagementServer(t, e2e.ManagementServerOptions{AllowResourceSubset: true}) 116 117 // Create bootstrap configuration pointing to the above management server, 118 // with no certificate providers. 119 nodeID := uuid.New().String() 120 bc, err := bootstrap.NewContentsForTesting(bootstrap.ConfigOptionsForTesting{ 121 Servers: []byte(fmt.Sprintf(`[{ 122 "server_uri": %q, 123 "channel_creds": [{"type": "insecure"}] 124 }]`, mgmtServer.Address)), 125 Node: []byte(fmt.Sprintf(`{"id": "%s"}`, nodeID)), 126 }) 127 if err != nil { 128 t.Fatalf("Failed to create bootstrap configuration: %v", err) 129 } 130 131 // Create an xDS resolver with the above bootstrap configuration. 132 if internal.NewXDSResolverWithConfigForTesting == nil { 133 t.Fatalf("internal.NewXDSResolverWithConfigForTesting is nil") 134 } 135 resolverBuilder, err := internal.NewXDSResolverWithConfigForTesting.(func([]byte) (resolver.Builder, error))(bc) 136 if err != nil { 137 t.Fatalf("Failed to create xDS resolver for testing: %v", err) 138 } 139 140 // Spin up a test backend. 141 server := stubserver.StartTestService(t, nil) 142 defer server.Stop() 143 144 // Configure client side xDS resources on the management server, with mTLS 145 // security configuration in the Cluster resource. 146 const serviceName = "my-service-client-side-xds" 147 const clusterName = "cluster-" + serviceName 148 const endpointsName = "endpoints-" + serviceName 149 resources := e2e.DefaultClientResources(e2e.ResourceParams{ 150 DialTarget: serviceName, 151 NodeID: nodeID, 152 Host: "localhost", 153 Port: testutils.ParsePort(t, server.Address), 154 SecLevel: e2e.SecurityLevelNone, 155 }) 156 resources.Clusters = []*v3clusterpb.Cluster{e2e.DefaultCluster(clusterName, endpointsName, e2e.SecurityLevelMTLS)} 157 ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) 158 defer cancel() 159 if err := mgmtServer.Update(ctx, resources); err != nil { 160 t.Fatal(err) 161 } 162 163 // Create client-side xDS credentials with an insecure fallback. 164 creds, err := xdscreds.NewClientCredentials(xdscreds.ClientOptions{FallbackCreds: insecure.NewCredentials()}) 165 if err != nil { 166 t.Fatal(err) 167 } 168 169 // Create a ClientConn and ensure that it moves to TRANSIENT_FAILURE. 170 cc, err := grpc.NewClient(fmt.Sprintf("xds:///%s", serviceName), grpc.WithTransportCredentials(creds), grpc.WithResolvers(resolverBuilder)) 171 if err != nil { 172 t.Fatalf("grpc.NewClient() failed: %v", err) 173 } 174 defer cc.Close() 175 cc.Connect() 176 testutils.AwaitState(ctx, t, cc, connectivity.TransientFailure) 177 178 // Make an RPC and ensure that expected error is returned. 179 wantErr := fmt.Sprintf("identity certificate provider instance name %q missing in bootstrap configuration", e2e.ClientSideCertProviderInstance) 180 client := testgrpc.NewTestServiceClient(cc) 181 if _, err := client.EmptyCall(ctx, &testpb.Empty{}); status.Code(err) != codes.Unavailable || !strings.Contains(err.Error(), wantErr) { 182 t.Fatalf("EmptyCall() failed: %v, wantCode: %s, wantErr: %s", err, codes.Unavailable, wantErr) 183 } 184 } 185 186 // Tests the case where the bootstrap configuration contains one certificate 187 // provider, and xDS credentials with an insecure fallback is specified at dial 188 // time. The management server responds with three clusters: 189 // 1. contains valid security configuration pointing to the certificate provider 190 // instance specified in the bootstrap 191 // 2. contains no security configuration, hence should use insecure fallback 192 // 3. contains invalid security configuration pointing to a non-existent 193 // certificate provider instance 194 // 195 // The test verifies that RPCs to the first two clusters succeed, while RPCs to 196 // the third cluster fails with an appropriate code and error message. 197 func (s) TestClientSideXDS_WithValidAndInvalidSecurityConfiguration(t *testing.T) { 198 // Spin up an xDS management server. 199 mgmtServer := e2e.StartManagementServer(t, e2e.ManagementServerOptions{AllowResourceSubset: true}) 200 201 // Create bootstrap configuration pointing to the above management server. 202 nodeID := uuid.New().String() 203 bc := e2e.DefaultBootstrapContents(t, nodeID, mgmtServer.Address) 204 205 // Create an xDS resolver with the above bootstrap configuration. 206 var xdsResolver resolver.Builder 207 if newResolver := internal.NewXDSResolverWithConfigForTesting; newResolver != nil { 208 var err error 209 xdsResolver, err = newResolver.(func([]byte) (resolver.Builder, error))(bc) 210 if err != nil { 211 t.Fatalf("Failed to create xDS resolver for testing: %v", err) 212 } 213 } 214 215 // Create test backends for all three clusters 216 // backend1 configured with TLS creds, represents cluster1 217 // backend2 configured with insecure creds, represents cluster2 218 // backend3 configured with insecure creds, represents cluster3 219 serverCreds := testutils.CreateServerTLSCredentials(t, tls.RequireAndVerifyClientCert) 220 server1 := stubserver.StartTestService(t, nil, grpc.Creds(serverCreds)) 221 defer server1.Stop() 222 server2 := stubserver.StartTestService(t, nil) 223 defer server2.Stop() 224 server3 := stubserver.StartTestService(t, nil) 225 defer server3.Stop() 226 227 // Configure client side xDS resources on the management server. 228 const serviceName = "my-service-client-side-xds" 229 const routeConfigName = "route-" + serviceName 230 const clusterName1 = "cluster1-" + serviceName 231 const clusterName2 = "cluster2-" + serviceName 232 const clusterName3 = "cluster3-" + serviceName 233 const endpointsName1 = "endpoints1-" + serviceName 234 const endpointsName2 = "endpoints2-" + serviceName 235 const endpointsName3 = "endpoints3-" + serviceName 236 listeners := []*v3listenerpb.Listener{e2e.DefaultClientListener(serviceName, routeConfigName)} 237 // Route configuration: 238 // - "/grpc.testing.TestService/EmptyCall" --> cluster1 239 // - "/grpc.testing.TestService/UnaryCall" --> cluster2 240 // - "/grpc.testing.TestService/FullDuplexCall" --> cluster3 241 routes := []*v3routepb.RouteConfiguration{{ 242 Name: routeConfigName, 243 VirtualHosts: []*v3routepb.VirtualHost{{ 244 Domains: []string{serviceName}, 245 Routes: []*v3routepb.Route{ 246 { 247 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/EmptyCall"}}, 248 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ 249 ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName1}, 250 }}, 251 }, 252 { 253 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/UnaryCall"}}, 254 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ 255 ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName2}, 256 }}, 257 }, 258 { 259 Match: &v3routepb.RouteMatch{PathSpecifier: &v3routepb.RouteMatch_Prefix{Prefix: "/grpc.testing.TestService/FullDuplexCall"}}, 260 Action: &v3routepb.Route_Route{Route: &v3routepb.RouteAction{ 261 ClusterSpecifier: &v3routepb.RouteAction_Cluster{Cluster: clusterName3}, 262 }}, 263 }, 264 }, 265 }}, 266 }} 267 // Clusters: 268 // - cluster1 with cert provider name e2e.ClientSideCertProviderInstance. 269 // - cluster2 with no security configuration. 270 // - cluster3 with non-existent cert provider name. 271 clusters := []*v3clusterpb.Cluster{ 272 e2e.DefaultCluster(clusterName1, endpointsName1, e2e.SecurityLevelMTLS), 273 e2e.DefaultCluster(clusterName2, endpointsName2, e2e.SecurityLevelNone), 274 func() *v3clusterpb.Cluster { 275 cluster3 := e2e.DefaultCluster(clusterName3, endpointsName3, e2e.SecurityLevelMTLS) 276 cluster3.TransportSocket = &v3corepb.TransportSocket{ 277 Name: "envoy.transport_sockets.tls", 278 ConfigType: &v3corepb.TransportSocket_TypedConfig{ 279 TypedConfig: testutils.MarshalAny(t, &v3tlspb.UpstreamTlsContext{ 280 CommonTlsContext: &v3tlspb.CommonTlsContext{ 281 ValidationContextType: &v3tlspb.CommonTlsContext_ValidationContextCertificateProviderInstance{ 282 ValidationContextCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ 283 InstanceName: "non-existent-certificate-provider-instance-name", 284 }, 285 }, 286 TlsCertificateCertificateProviderInstance: &v3tlspb.CommonTlsContext_CertificateProviderInstance{ 287 InstanceName: "non-existent-certificate-provider-instance-name", 288 }, 289 }, 290 }), 291 }, 292 } 293 return cluster3 294 }(), 295 } 296 // Endpoints for each of the above clusters with backends created earlier. 297 endpoints := []*v3endpointpb.ClusterLoadAssignment{ 298 e2e.DefaultEndpoint(endpointsName1, "localhost", []uint32{testutils.ParsePort(t, server1.Address)}), 299 e2e.DefaultEndpoint(endpointsName2, "localhost", []uint32{testutils.ParsePort(t, server2.Address)}), 300 } 301 resources := e2e.UpdateOptions{ 302 NodeID: nodeID, 303 Listeners: listeners, 304 Routes: routes, 305 Clusters: clusters, 306 Endpoints: endpoints, 307 SkipValidation: true, 308 } 309 ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) 310 defer cancel() 311 if err := mgmtServer.Update(ctx, resources); err != nil { 312 t.Fatal(err) 313 } 314 315 // Create client-side xDS credentials with an insecure fallback. 316 clientCreds, err := xdscreds.NewClientCredentials(xdscreds.ClientOptions{FallbackCreds: insecure.NewCredentials()}) 317 if err != nil { 318 t.Fatal(err) 319 } 320 321 // Create a ClientConn. 322 cc, err := grpc.NewClient(fmt.Sprintf("xds:///%s", serviceName), grpc.WithTransportCredentials(clientCreds), grpc.WithResolvers(xdsResolver)) 323 if err != nil { 324 t.Fatalf("failed to dial local test server: %v", err) 325 } 326 defer cc.Close() 327 328 // Make an RPC to be routed to cluster1 and verify that it succeeds. 329 client := testgrpc.NewTestServiceClient(cc) 330 peer := &peer.Peer{} 331 if _, err := client.EmptyCall(ctx, &testpb.Empty{}, grpc.WaitForReady(true), grpc.Peer(peer)); err != nil { 332 t.Fatalf("EmptyCall() failed: %v", err) 333 } 334 if got, want := peer.Addr.String(), server1.Address; got != want { 335 t.Errorf("EmptyCall() routed to %q, want to be routed to: %q", got, want) 336 337 } 338 339 // Make an RPC to be routed to cluster2 and verify that it succeeds. 340 if _, err := client.UnaryCall(ctx, &testpb.SimpleRequest{}, grpc.Peer(peer)); err != nil { 341 t.Fatalf("UnaryCall() failed: %v", err) 342 } 343 if got, want := peer.Addr.String(), server2.Address; got != want { 344 t.Errorf("EmptyCall() routed to %q, want to be routed to: %q", got, want) 345 } 346 347 // Make an RPC to be routed to cluster3 and verify that it fails. 348 const wantErr = `identity certificate provider instance name "non-existent-certificate-provider-instance-name" missing in bootstrap configuration` 349 if _, err := client.FullDuplexCall(ctx); status.Code(err) != codes.Unavailable || !strings.Contains(err.Error(), wantErr) { 350 t.Fatalf("FullDuplexCall failed: %v, wantCode: %s, wantErr: %s", err, codes.Unavailable, wantErr) 351 } 352 }